Create a custom RBAC (role-based access control) role using PowerShell in Azure

MVP

 

Hi Azure friends,

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE

Set-Location C:\Temp
Clear-Host

 

#So that you can carry out the configuration, you need the necessary cmdlets, these are contained in the module Az (is the higher-level module from a number of submodules)

Install-Module -Name Az -Force -AllowClobber -Verbose

 

#Log into Azure
Connect-AzAccount

 

#We look at the provider

Get-AzProviderOperation "Microsoft.Support/*" | FT Operation, Description -AutoSize

 

#We copy an existing role and expand it later

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json | Out-File C:\Temp\ReaderSupportRole.json

 

#Open the ReaderSupportRole.json in VSCode or any other editor

 

#We need the subscription ID

Get-AzSubscription

 

#In AssignableScopes, add your subscription ID
#Change the Name and Description properties to "Reader Support Tickets" and "View everything in the subscription and also open support tickets." Also change from "IsCustom":  false " to "IsCustom":  true. In "Actions" add "Microsoft.Support/*"

 

#Now we add our role to Azure

New-AzRoleDefinition -InputFile "C:\Temp\ReaderSupportRole.json"

 

#To list all your custom roles
Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

or

Get-AzRoleDefinition "Reader Support Tickets"

 

You can also see the custom role in the Azure portal. Now you have configured an RBAC role with the PowerShell in Azure! Congratulations!

 

I hope this article was useful. Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

0 Replies